Throughout the last couple of years, the healthcare sector in the Netherlands has been one of the frontrunners in terms of the amount of data breaches reported to the Dutch Data Protection Authority (2017, 2018, 2019). With the recent data breach of the GGD, exposing the personal data of tens of thousands getting tested for the coronavirus, the crucial issue of data breaches in the sector has received very strong public attention as well. This blog provides insight into how a data breach can be recognised, what practical steps organisations can take to reduce the risk of a breach, and how organisations can respond.
Recently, the Dutch public has been made all too familiar with data breaches, as during the midst of the COVID-19 pandemic, it became apparent that there is a large-scale trade in personal data of tens of thousands of Dutch citizens, originating from the two main corona systems of the Public health department GGD. The data includes addresses, telephone numbers, citizen service numbers and test results. Previously, The HagaZiekenhuis in The Hague was in the spotlight after it was fined € 460,000 for an incident in which dozens of employees illegally accessed the digital patient file of a Dutch celebrity.
It’s not new
According to the latest annual report of the Dutch Data Protection Authority, the number of (reported) data breaches in 2019 increased by 29% to a staggering 27.000, data breach notifications. The report highlighted that the healthcare sector had the second highest number of data breach notifications, similar to previous years. Most (reported) data breaches occurred because personal data was sent to the wrong recipient.
Types of data breaches
To recognise a data breach, we first have to know what a data breach is. Data breaches can occur in various shapes and sizes:
- data breaches that cause a "breach of confidentiality": this occurs if data has come into the hands of an unauthorised person. This may be the case, for example, if an email containing personal data is sent to the wrong recipient.
- data breaches that cause a 'breach of integrity': this is when data has been (unintentionally) modified or is no longer complete. This may include, for example, the (accidental) copying of personal data.
- data breaches that cause a 'breach of availability': this occurs if data has (unintentionally) ceased to exist or if the data is no longer under control because access is not possible. This could include the (accidental) deletion of personal data.
The above overview shows that a data breach is far from being limited to incorrectly sent e-mails or hacked systems. Instead, data breaches can occur in many different ways. It is important to recognise a data breach in time, so that action can be taken.
After a data breach
After a data breach has been identified, it is first of all important - where possible - to take damage-reducing measures. If, for example, a laptop containing personal data has been lost, it may be possible to delete this data remotely. In addition, the data breach must usually be reported to the AP and (additionally) in certain cases also to the parties involved.
“A data breach must be reported to the AP within 72 hours after the discovery of the breach, unless the breach does not pose a risk to the 'rights and freedoms' of the individuals involved.”
It can be difficult to assess whether there is such a (high) risk. The EDPB guideline 'Notification requirement for Personal data breaches', can help with this. For example, a data breach due to data being sent to the wrong recipient does not always need to be reported if it concerns a 'reliable recipient' (e.g. recipients such as doctors who are bound to professional secrecy).
The AP mentions in this regard:
“Health data is generally very sensitive. If this type of data is accessed by unauthorised persons, the risk for the data subjects will generally be high. Even if the incorrect recipient destroys or returns this data after it has been viewed. This is because there has already been a major breach of the privacy of the data subject. Data breaches involving Citizen Service Numbers, 'BSN', [PP: which are frequent in healthcare and insurance, as the patient must be identified before providing care] generally also pose a high risk, particularly if additional personal data has also been leaked. If the BSN, in combination with other personal data, falls into the hands of unauthorised persons, the data subjects may run a risk of (identity) fraud.”
The starting point is therefore that data breaches must be reported to the AP. In addition, a data breach must always be recorded in the data breach register. This is also the case if the data breach does not need to be reported to the AP and/or the parties concerned.
If you use a solution like PrivacyPerfect, you can take care of most of these steps with the help of automation.
Various measures can be taken to reduce the risk of a data breach. Awareness within the organisation is essential here. Additionally, with the following actionable insights, you can can help reduce the risk of the most common types of data breaches:
Human error can result in medical data being sent to the wrong recipient, for example due to a typing error in the e-mail address or clicking on the wrong recipient.
- This can be prevented by choosing to attach the sensitive data as an attachment to the email message and to encrypt this attachment with a password.
- This password can then be passed on to the recipient through a separate channel (e.g. by calling or sending an SMS)
- You can also ask yourself whether email is the right digital communication tool for sending this type of sensitive data and consider, for example, organising communication via a portal or tooling.
Sensitive paper medical files such as medical records, (youth) care files, and reports on treatment programmes are sometimes taken home, for example in the context of working at home due to COVID-19. Files are accidentally lost, forgotten on the tram, or sometimes even stolen.
- Prevent this by never taking sensitive paper medical files home with you.
- Scan the files at the office and save them on a secure (encrypted) hard disk, USB stick or in a secure document management system within your organisation's IT network. In the latter case, you can then access the files from home when you log in to the secure network environment.
Healthcare institutions sometimes store digital medical data of patients locally on portable devices such as tablets, smartphones, laptops or USB sticks. Just like paper files, employees sometimes take these data carriers home with them.
- Do you make use of portable devices? Then make sure that you always store this personal data in an encrypted format. This limits the risks for the people involved when your portable portable device is lost or stolen.
Healthcare institutions, especially hospitals, are often targets of phishing attacks. This allows a hacker to gain access to an employee's account. Hackers then often abuse the account to send new phishing or spam messages. This can lead to new breaches, and/or to (financial) damage for the individuals involved.
- Reduce the risk of phishing attacks by making your employees aware of phishing.
- Ensure that employees can recognise phishing emails.
- Install good firewalls and update them regularly, so that unwanted emails, such as spam and phishing messages, are kept to a minimum.
Smaller care institutions and care providers such as physiotherapists and GPs, in particular, are regularly hit by ransomware. Often as a result of inadequate (knowledge of) security. As a result of ransomware, the data on your system can fall into the hands of hackers and you can lose access to your data permanently or temporarily. Measures to reduce the risk of a data breach caused by ransomware are:
- Install software updates on time
- Do not use out-of-date (network) protocols
- Ensure segmented (separated) computer networks and systems
- Make regular backups so that you always have access to the personal data, even if you are hit by a ransomware attack.
A data breach can happen quicker than you might initially think. It is therefore important to be well prepared. For the healthcare sector in particular, where highly sensitive personal data is processed on a large scale, it’s crucial to reduce risks, and if the breach happens, the impact of the data leak wherever possible. Compromised sensitive patient data does not only affect the data subject, but also the trust of the patient, and the reputation of the organisation. It is therefore critical to raise awareness on the importance of data privacy throughout the organisation so that employees at every level know what a data breach is, are alert to it, know what to do if one occurs, and have all the necessary tools at their disposal so they can keep doing what they do best - providing healthcare.
If you would like to learn more about the the added value of data privacy compliance for healthcare organisations, please click here to download our paper, specifically focusing on Dutch care and -cure organisations (*in Dutch).